The security team at Sucuri publicized a critical vulnerability found in the WordPress Slider Revolution plugin recently. The bug has since been patched, but the development team for Slider Revolution kept silent about it and did not notify their users of the importance of updating.

The popular commercial slider plugin is hosted on Codecanyon, an offshoot of EnvatoMarket. The slider is bundled in theme packages, such as Avada, Themeforest’s top-selling theme. It’s also packaged with other popular themes such as X Theme, uDesign, and Jupiter, in addition to being used independently on thousands of websites.

Details of the Vulnerability

This is a nasty security vulnerability by which virtually anyone could easily gain access to your database credentials and everything else. It allows a remote attacker to download any file from the server, including the wp-config.php file, which gives the hacker full access to your site. Sucuri shared an example of how one might easily access a site’s wp-config file by exploiting the vulnerability:

“This type of vulnerability is known as a Local File Inclusion (LFI) attack,” Sucuri explained. “The attacker is able to access, review, download a local file on the server.”

The Slider Revolution vulnerability was first disclosed via underground forums before the plugin’s author decided to patch it silently. A team of Bangladeshi hackers published a video on Youtube, detailing how to exploit sites that are vulnerable.

The cyber advisory issued on the security threat states that the vulnerability is being actively exploited in the wild. The vulnerability places small, medium, and large government and business entities at a high risk.

Sucuri analyzed WAF access logs and confirmed that today alone “there were 64 different IP addresses trying to trigger this vulnerability on more than 1,000 different websites within our environment.”

Users Advised to Update Slider Revolution Immediately

If you are using the Slider Revolution plugin on your site, you need to update immediately to avoid becoming a victim of this critical vulnerability. You should also scan your files and database for evidence of hacking and put hardening measures in place to prevent future attacks.

Although the issue was fixed in version 4.2 of the plugin, issued February 25th, the changelog simply referenced a “security fix.” Users have since commented on the product’s Codecanyon page to express outrage at not having been further notified:

You should have let us know to update immediately. I am signed up for notifications of updates, but the only way I found out about this was through the Sucuri blog.

The team at ThemePunch, the plugin’s creators, allegedly contacted multiple security companies for advice on the matter.

“We urgently discussed this security issue with leading Security Companies and we were strongly advised to go with a Silent Update,” a ThemePunch representative replied. They also referenced an auto update system that users can sign up for to receive notice in the future.

“We have an Update system for Auto Updates, for which you can register once you have purchased the item, which informs you about new updates.”

The Risk of Using Free or Commercial Extensions Without Update Notifications

If you are using a commercial plugin or theme that has no auto-update system or relies on email to notify you of updates, you need to be very proactive about keeping yourself informed. A critical security vulnerability, such as the one reported for Slider Revolution, can easily take down your site(s) if you neglect updates. Theme authors don’t always update their bundled plugins and their users cannot take advantage of the auto update system provided by the plugin author.

This particular security threat wouldn’t put so many sites in danger if the Slider Revolution plugin was not bundled into themes. Bundling commercial plugins with themes tends to obscure the details of how users can get plugin updates. Even with an update notification system, users are made vulnerable by developers who patch silently and don’t make an effort to notify their user base about a critical security update. Users can protect themselves from situations like this by declining to purchase themes that bundle plugins/functionality.

27 Comments

If you have not included autoupdate function contact their support at http://themepunch.ticksy.com with the license key of your theme. No need to cuss that has no help. Sarah please include this effort in your article as well. I have no connection with the envato just spreading a word.

I totally disagree. The slider plugin was bundled in a theme that a PREVIOUS web developer installed for one of my clients. As such, I do not have the theme license key. There is NO WAY that I would ever have known about this extreme vulnerability had Sucuri not released it.

The bundling of premium plugins in purchased themes is maybe a practice that needs further discussion, for just this very reason. There are, however, excellent theme designers who do it the right way, like http://www.web-savvy-marketing.comwho give you a personal license to any premium plugins that are included.

On an aside, the one three-letter word that I used is mild in comparison to the damage that was caused by the author’s “silent update” strategy.

If you have purchased a theme that included this plugin prior to the update going out you may need to contact that theme developer or ensure a fixed version is packaged with the theme you have purchased also – many themes have this plugin included, which in turn only allows updates to occur if the theme developer issues an update with a fixed version of the plugin

Wowzers, that really is a security flaw! Thing is, without some way to reliably inform users (some of whom will not check their sites regularly of course) this kind of plugin-caused vulnerability will no doubt crop up again and again… Quite disturbing really!

Just a quick note, this issue was originally fixed in February by themepunch, the developers of Revslider. With that being said, Avada is always up-to-date with the included plugins.

Always remember to update your theme and plugins. Both the theme and plugin have WordPress built-in plugin updater. Enter your purchase key in the right area (always mentioned in the documentation) and update regularly. This goes for all themes and plugins.

Too bad WordPress won’t allow paid plugins to be sold through wordpress.org (and why paid themes but not plugins?). Since they don’t, we are left with a patchwork of different web sites and auto-updaters. C’mon WordPress, it’s time to make an ‘app store’ so we can get updates from one place and keep our blogs secure.

I’m not exactly thrilled with premium plugins being packaged into themes but this is such a silly statement: “Users can protect themselves from situations like this by declining to purchase themes that bundle plugins/functionality.”

With the same logic, users shouldn’t use any product that has ever had a security flaw. Like WordPress itself?

That post outlines what we’re doing, links to a list of themes which were potentially affected, and has information for users on to get an updated version of the plugin (they can get this for free) etc.

We’ll be be contacting all buyers of the potentially affected themes via email address and making sure they are aware of the situation and what they should do.

We’ve been going through the list of potentially affected items, checking them and disabling if they still have an affected version of the plugin. Once the authors have updated their themes to include a fixed version of the plugin, we’ll re-activate them.

Any questions, let me know! Also, if anyone notices any security issues with a ThemeForest or CodeCanyon item in future, please let me know so we can take action.

Revolution Slider was bundled with the theme we purchased from ThemeForest for our site, along with Visual Composer. I found that both of these tools were not receiving updates anywhere near the frequency via the bundle vs the individual licensing/download route. I ended up purchasing additional individual licenses so I could keep both plugins up-to-date. I’ve since taken the position that any premium plugins that are ‘bundled’ with a theme or other plugin will need to also be purchased separately in order to access more frequent updates and maintain the integrity/security of my WordPress installation.